{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21716", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "state": "PUBLISHED", "assignerShortName": "hackerone", "dateReserved": "2026-01-04T15:00:06.575Z", "datePublished": "2026-03-30T19:07:28.538Z", "dateUpdated": "2026-03-31T14:27:23.323Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched.\r\n\r\nAs a result, code running under `--permission` with restricted `--allow-fs-write` can still use promise-based `FileHandle` methods to modify file permissions and ownership on already-open file descriptors, bypassing the intended write restrictions.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-write` is intentionally restricted."}], "affected": [{"defaultStatus": "unaffected", "vendor": "nodejs", "product": "node", "versions": [{"version": "20.20.1", "status": "affected", "lessThanOrEqual": "20.20.1", "versionType": "semver"}, {"version": "22.22.1", "status": "affected", "lessThanOrEqual": "22.22.1", "versionType": "semver"}, {"version": "24.14.0", "status": "affected", "lessThanOrEqual": "24.14.0", "versionType": "semver"}, {"version": "25.8.1", "status": "affected", "lessThanOrEqual": "25.8.1", "versionType": "semver"}]}], "references": [{"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"}], "metrics": [{"cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 3.3, "baseSeverity": "LOW"}}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-03-30T19:07:28.538Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-862", "lang": "en", "description": "CWE-862 Missing Authorization"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T14:27:06.373734Z", "id": "CVE-2026-21716", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T14:27:23.323Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"metrics": [{"cvssV3_0": {"version": "3.0", "baseScore": 3.3, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "nodejs", "product": "node", "versions": [{"status": "affected", "version": "20.20.1", "versionType": "semver", "lessThanOrEqual": "20.20.1"}, {"status": "affected", "version": "22.22.1", "versionType": "semver", "lessThanOrEqual": "22.22.1"}, {"status": "affected", "version": "24.14.0", "versionType": "semver", "lessThanOrEqual": "24.14.0"}, {"status": "affected", "version": "25.8.1", "versionType": "semver", "lessThanOrEqual": "25.8.1"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"}], "descriptions": [{"lang": "en", "value": "An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched.\r\n\r\nAs a result, code running under `--permission` with restricted `--allow-fs-write` can still use promise-based `FileHandle` methods to modify file permissions and ownership on already-open file descriptors, bypassing the intended write restrictions.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-write` is intentionally restricted."}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-03-30T19:07:28.538Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21716", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-31T14:27:06.373734Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-03-31T14:27:19.730Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-21716", "state": "PUBLISHED", "dateUpdated": "2026-03-30T19:07:28.538Z", "dateReserved": "2026-01-04T15:00:06.575Z", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "datePublished": "2026-03-30T19:07:28.538Z", "assignerShortName": "hackerone"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched.\r\n\r\nAs a result, code running under `--permission` with restricted `--allow-fs-write` can still use promise-based `FileHandle` methods to modify file permissions and ownership on already-open file descriptors, bypassing the intended write restrictions.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-write` is intentionally restricted."}, {"lang": "es", "value": "Una soluci\u00f3n incompleta para CVE-2024-36137 deja `FileHandle.chmod()` y `FileHandle.chown()` en la API de promesas sin las comprobaciones de permisos requeridas, mientras que sus equivalentes basados en callbacks (`fs.fchmod()`, `fs.fchown()`) fueron parcheados correctamente.\n\nComo resultado, el c\u00f3digo que se ejecuta bajo `--permission` con `--allow-fs-write` restringido a\u00fan puede usar m\u00e9todos `FileHandle` basados en promesas para modificar los permisos y la propiedad de los archivos en descriptores de archivo ya abiertos, eludiendo las restricciones de escritura previstas.\n\nEsta vulnerabilidad afecta a los procesos 20.x, 22.x, 24.x y 25.x que utilizan el Modelo de Permisos donde `--allow-fs-write` est\u00e1 restringido intencionalmente."}], "id": "CVE-2026-21716", "lastModified": "2026-04-01T14:24:21.833", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "support@hackerone.com", "type": "Secondary"}]}, "published": "2026-03-30T20:16:19.873", "references": [{"source": "support@hackerone.com", "url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "nodejs: Node.js: Permission bypass allows unauthorized modification of file permissions and ownership via incomplete security fix.", "id": "2453157", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453157"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N", "status": "draft"}, "cwe": "CWE-279", "details": ["An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched.\nAs a result, code running under `--permission` with restricted `--allow-fs-write` can still use promise-based `FileHandle` methods to modify file permissions and ownership on already-open file descriptors, bypassing the intended write restrictions.\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-write` is intentionally restricted.", "A flaw was found in Node.js. An incomplete security fix allows code operating under restricted file system write permissions to bypass these limitations. This vulnerability enables the modification of file permissions and ownership on already-open files, even when explicit write access is denied. Such a bypass could lead to unauthorized changes to system files."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-21716", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "nodejs22", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "nodejs24", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "nodejs:20/nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "nodejs:22/nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "nodejs:24/nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "nodejs:20/nodejs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "nodejs:22/nodejs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "nodejs:24/nodejs", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-30T19:07:28Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-21716\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-21716\nhttps://nodejs.org/en/blog/vulnerability/march-2026-security-releases"], "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[20.20.1,20.20.1]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[22.22.1,22.22.1]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[24.14.0,24.14.0]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[25.8.1,25.8.1]"}}], "enrichment": {"confidence": 92.0, "confidence_source": "matching", "scores": [{"score": 92.0, "source": "matching"}]}, "original": {"product": "node", "source": "cna", "vendor": "nodejs"}, "product": "nodejs", "vendor": "nodejs"}], "analysis": {"en": {"generated_at": "2026-04-01T05:39:08.544686+00:00", "value": {"mitigation_remediation": ["Upgrade Node.js to a version where the credential\u2011check logic for promise\u2011based methods has been corrected (see the March\u202f2026 security release notes).", "If an upgrade is not immediately possible, avoid using FileHandle.promise.chmod() or FileHandle.promise.chown() in code that operates under the Permission Model; prefer the callback versions (fs.fchmod(), fs.fchown()).", "Temporarily disable the --permission flag or remove the --allow\u2011fs\u2011write restriction for workloads that require permission\u2011changing capabilities, ensuring that only trusted code has such privileges."], "summary": {"action": "Apply Patch", "impact": "Unauthorized modification of file permissions and ownership via promise\u2011based FileHandle methods"}, "threat_synthesis": {"affected_systems": "Node.js releases 20.x, 22.x, 24.x, and 25.x run under the Permission Model with a restricted --allow\u2011fs\u2011write setting are affected. The vulnerability is specific to the promise\u2011based\u202fFileHandle API and does not impact the callback\u2011based fs.fchmod() or fs.fchown() functions, which were patched correctly. Users of these Node.js versions who rely on the Permission Model to enforce filesystem write limits are potentially exposed.", "description_and_impact": "An incomplete fix for a prior Node.js flaw left promise\u2011based\u202fFileHandle.chmod() and\u202fFileHandle.chown() without required permission checks while their callback equivalents were patched. As a result, code that is intended to be restricted under the Permission Model\u2014i.e., running with --permission and a limited --allow\u2011fs\u2011write flag\u2014can still alter permissions and ownership on already\u2011opened file descriptors. The weakness allows a malicious or compromised application to subvert intended security controls, potentially exposing sensitive files to unauthorized modification. The issue is rooted in misapplied access\u2011control logic (CWE\u2011279, CWE\u2011862).", "risk_and_exploitability": "The CVSS score of 3.8 classifies the vulnerability as moderate, and the EPSS score of less than 1\u202f% indicates a low likelihood of exploitation in the wild. The flaw is not listed in CISA\u2019s KEV catalog, suggesting it has not yet been widely exploited. The likely attack vector is local code running inside a Node.js process configured with the Permission Model; an attacker can craft or alter code that invokes the promise methods to modify file permissions or ownership despite the --allow\u2011fs\u2011write restriction. Detection would require monitoring for abnormal permission changes from confined Node.js workloads."}}}}, "created": "2026-03-30T20:55:10.286051+00:00", "updated": "2026-04-02T07:54:01.137680+00:00", "vendors": ["nodejs", "nodejs$PRODUCT$nodejs"]}